Debian Bug report logs - #624287
CVE-2009-5022

version graph

Package: tiff; Maintainer for tiff is Jay Berkenbilt <qjb@debian.org>;

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Wed, 27 Apr 2011 07:15:02 UTC

Severity: grave

Tags: security

Found in version 3.9.4-5

Fixed in versions 3.9.5-1, tiff/3.9.4-5+squeeze2

Done: Jay Berkenbilt <qjb@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Jay Berkenbilt <qjb@debian.org>:
Bug#624287; Package tiff. (Wed, 27 Apr 2011 07:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Jay Berkenbilt <qjb@debian.org>. (Wed, 27 Apr 2011 07:15:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2009-5022
Date: Wed, 27 Apr 2011 09:13:31 +0200
Package: tiff
Severity: grave
Tags: security

http://bugzilla.maptools.org/show_bug.cgi?id=1999 has been assigned
CVE-2009-5022.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#624287; Package tiff. (Sat, 07 May 2011 14:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sat, 07 May 2011 14:15:05 GMT) Full text and rfc822 format available.

Message #10 received at 624287@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>
Cc: 624287@bugs.debian.org
Subject: Re: Bug#624287: CVE-2009-5022
Date: Sat, 07 May 2011 10:00:47 -0400
Moritz Muehlenhoff <muehlenhoff@univention.de> wrote:

> http://bugzilla.maptools.org/show_bug.cgi?id=1999 has been assigned
> CVE-2009-5022.

This bug was already fixed in 3.9.5, so it only affects stable and
oldstable.  I'll update the found/fixed versions and prepare packages
for stable and oldstable.

-- 
Jay Berkenbilt <qjb@debian.org>




Bug Marked as found in versions 3.8.2-11.3. Request was from Jay Berkenbilt <qjb@debian.org> to control@bugs.debian.org. (Sat, 07 May 2011 14:15:19 GMT) Full text and rfc822 format available.

Bug Marked as found in versions 3.9.4-5. Request was from Jay Berkenbilt <qjb@debian.org> to control@bugs.debian.org. (Sat, 07 May 2011 14:15:20 GMT) Full text and rfc822 format available.

Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. (Sat, 07 May 2011 14:15:27 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Sat, 07 May 2011 14:15:27 GMT) Full text and rfc822 format available.

Message #19 received at 624287-done@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 624287-done@bugs.debian.org, control@bugs.debian.org
Subject: updating versions
Date: Sat, 07 May 2011 10:04:40 -0400
Version: 3.9.5-1

found 624287 3.8.2-11.3
found 624287 3.9.4-5
thanks




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#624287; Package tiff. (Sat, 07 May 2011 14:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sat, 07 May 2011 14:18:03 GMT) Full text and rfc822 format available.

Message #24 received at 624287@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>
Cc: 624287@bugs.debian.org
Subject: Re: Bug#624287: CVE-2009-5022
Date: Sat, 07 May 2011 10:15:12 -0400
Moritz Muehlenhoff <muehlenhoff@univention.de> wrote:

> http://bugzilla.maptools.org/show_bug.cgi?id=1999 has been assigned
> CVE-2009-5022.

Actually, it doesn't apply to oldstable either.  That code didn't exist
before 3.9.  So I'll prepare packages for stable-security only.




Bug No longer marked as found in versions 3.8.2-11.3. Request was from Jay Berkenbilt <qjb@debian.org> to control@bugs.debian.org. (Sat, 07 May 2011 14:18:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#624287; Package tiff. (Sat, 07 May 2011 14:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jay Berkenbilt <qjb@debian.org>:
Extra info received and forwarded to list. (Sat, 07 May 2011 14:36:05 GMT) Full text and rfc822 format available.

Message #31 received at 624287@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>
Cc: 624287@bugs.debian.org
Subject: Re: Bug#624287: CVE-2009-5022
Date: Sat, 07 May 2011 10:34:12 -0400
[Message part 1 (text/plain, inline)]
Attached is a patch to create tiff-3.9.4-5+squeeze2 from
tiff-3.9.4-5+squeeze1.  I have tested by building in unstable.  While
I'm certain that the patch applies, I was not able to reproduce the
problem using the test case posted in upstream's bugzilla.  In any case,
I don't believe that's essential as the updated version clearly includes
the accepted fix and otherwise works.

As indicated earlier, the patch is already included in 3.9.5, and the
broken code did not exist prior to the OJPEG rewrite in 3.9.4, so only
stable is affected.  I close the bug in the changelog here so hopefully
that will update the BTS's record of versions.  I have already indicated
that it is found in 3.9.4-5 and fixed in 3.9.5-1.

--Jay

[tiff-3.9.4-5+squeeze1-to-3.9.4-5+squeeze2.patch (text/x-diff, attachment)]

Reply sent to Jay Berkenbilt <qjb@debian.org>:
You have taken responsibility. (Fri, 10 Jun 2011 19:57:09 GMT) Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Fri, 10 Jun 2011 19:57:09 GMT) Full text and rfc822 format available.

Message #36 received at 624287-close@bugs.debian.org (full text, mbox):

From: Jay Berkenbilt <qjb@debian.org>
To: 624287-close@bugs.debian.org
Subject: Bug#624287: fixed in tiff 3.9.4-5+squeeze2
Date: Fri, 10 Jun 2011 19:55:05 +0000
Source: tiff
Source-Version: 3.9.4-5+squeeze2

We believe that the bug you reported is fixed in the latest version of
tiff, which is due to be installed in the Debian FTP archive:

libtiff-doc_3.9.4-5+squeeze2_all.deb
  to main/t/tiff/libtiff-doc_3.9.4-5+squeeze2_all.deb
libtiff-opengl_3.9.4-5+squeeze2_amd64.deb
  to main/t/tiff/libtiff-opengl_3.9.4-5+squeeze2_amd64.deb
libtiff-tools_3.9.4-5+squeeze2_amd64.deb
  to main/t/tiff/libtiff-tools_3.9.4-5+squeeze2_amd64.deb
libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
  to main/t/tiff/libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
libtiff4_3.9.4-5+squeeze2_amd64.deb
  to main/t/tiff/libtiff4_3.9.4-5+squeeze2_amd64.deb
libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
  to main/t/tiff/libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
tiff_3.9.4-5+squeeze2.debian.tar.gz
  to main/t/tiff/tiff_3.9.4-5+squeeze2.debian.tar.gz
tiff_3.9.4-5+squeeze2.dsc
  to main/t/tiff/tiff_3.9.4-5+squeeze2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 624287@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Berkenbilt <qjb@debian.org> (supplier of updated tiff package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 07 May 2011 10:21:28 -0400
Source: tiff
Binary: libtiff4 libtiffxx0c2 libtiff4-dev libtiff-tools libtiff-opengl libtiff-doc
Architecture: source all amd64
Version: 3.9.4-5+squeeze2
Distribution: stable-security
Urgency: high
Maintainer: Jay Berkenbilt <qjb@debian.org>
Changed-By: Jay Berkenbilt <qjb@debian.org>
Description: 
 libtiff-doc - TIFF manipulation and conversion documentation
 libtiff-opengl - TIFF manipulation and conversion tools
 libtiff-tools - TIFF manipulation and conversion tools
 libtiff4   - Tag Image File Format (TIFF) library
 libtiff4-dev - Tag Image File Format library (TIFF), development files
 libtiffxx0c2 - Tag Image File Format (TIFF) library -- C++ interface
Closes: 624287
Changes: 
 tiff (3.9.4-5+squeeze2) stable-security; urgency=high
 .
   * CVE-2009-5022: Buffer overflow in OJPEG support. (Closes: #624287)
Checksums-Sha1: 
 935c11d676b52e17d654921856faa67e3101c52b 1872 tiff_3.9.4-5+squeeze2.dsc
 4d26f4cc9c29a7a56dd6f88b714d917a0f4d13c7 17080 tiff_3.9.4-5+squeeze2.debian.tar.gz
 c9248ec8d119ab1600975bb119052be59607d5f8 385958 libtiff-doc_3.9.4-5+squeeze2_all.deb
 9b9f26919dfd2acd0fed15f62278d115a392931f 194570 libtiff4_3.9.4-5+squeeze2_amd64.deb
 8433d2c1c6cfaaa8677063765f7ec08c798f74ee 58884 libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
 8ddfbf0b65c238959b673f12d1e3af1fdc40f674 321658 libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
 c6f7cb9007e6f3d3d597a26b51a9ec46487c2099 301964 libtiff-tools_3.9.4-5+squeeze2_amd64.deb
 874590efb82bae26cd765c0c63fb56b79e5aab57 64314 libtiff-opengl_3.9.4-5+squeeze2_amd64.deb
Checksums-Sha256: 
 2829451d3ebea2a603d29e7041ca723168d8f7e7b0a5606af4d2913c00dbc9b2 1872 tiff_3.9.4-5+squeeze2.dsc
 869256c4ad2ad5dff1eb6292c29b64cd09d904747938b46bf4e65384c7309a86 17080 tiff_3.9.4-5+squeeze2.debian.tar.gz
 c0322dd0834335dc4d68619fb5ffec716e4b9adbc5982f091873712162a72a8f 385958 libtiff-doc_3.9.4-5+squeeze2_all.deb
 d295e88a3a9ff1618544fa402117d095490b0b0d6147d9e0eb57ed4bcc2e86d7 194570 libtiff4_3.9.4-5+squeeze2_amd64.deb
 d497f5c0d18691952f43b89eda698476913d9a788388028c4edec4e1ea02b227 58884 libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
 f1565dddb48e08a0fea9f03aac00776ae469767821d589335878d8b9bee92262 321658 libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
 3bc536f0080ddcb5674046ebbb9a2962c67474eec460464a71cb5c4f125775a9 301964 libtiff-tools_3.9.4-5+squeeze2_amd64.deb
 f1668b370c9b30dbc95d02236fa4cb5240df72729f6bf7147cc405a1df77580b 64314 libtiff-opengl_3.9.4-5+squeeze2_amd64.deb
Files: 
 f70685599c06cb7839a1e30c0796fa78 1872 libs optional tiff_3.9.4-5+squeeze2.dsc
 75d8fb29751e615905b7f93317c5fcce 17080 libs optional tiff_3.9.4-5+squeeze2.debian.tar.gz
 ef328af6ca00c350d3c5c4d44052ae89 385958 doc optional libtiff-doc_3.9.4-5+squeeze2_all.deb
 aa7cd2951d8e2e2c41127e8833d828ea 194570 libs optional libtiff4_3.9.4-5+squeeze2_amd64.deb
 27395ed6ffd2e8e40357adce94cc4873 58884 libs optional libtiffxx0c2_3.9.4-5+squeeze2_amd64.deb
 32fc216ef4c05367b2cf6dd81c4f41dc 321658 libdevel optional libtiff4-dev_3.9.4-5+squeeze2_amd64.deb
 f80a4347443f5a7cae0ac2e7e411fa5d 301964 graphics optional libtiff-tools_3.9.4-5+squeeze2_amd64.deb
 63ed19dc507c34921bc1e8a591b394f1 64314 graphics optional libtiff-opengl_3.9.4-5+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJN4m6+AAoJEIp10QmYASx+ProP/0I3dwsxUD7HdW4ijWPh2blP
RVADi4zePKcWPvkXOku9SpgSJm63ynrSYJZM5nvRftHwwGCQA2Q+CoimPG0hK3rf
FYGJEn1j92IEfe8PrheOnxh4uQkwxW5VfR4R5WKLohxeR81zXQ5Wo7oJMTY7o0bN
perIxafmjBWneyDzaGcFD8X+QPNTPrOLDFDC3py+EBj8kmvEL9PFuJNOf5mSzp4e
rxg/dQhU23o8RmW1wUNekERQ87ZQ2j66VZx4KBOKvkiLLQSTbhAufXHi75VmIkJO
wU/j3OPUZ+LuZifCtUShsxEWAIIUpw69rlyI7L6bwBo/fU5lp5E+hepg/1z6VMdI
hg7IYenoGrqRXFOey6ow5LN0zwkPQymONkfXxjy6HSd5o/GxqaDCkSjCP7noXU9r
FTByizTtYPT0zhVTVNDnT28dxcapAfMhfQL4P7m3lo036pjiCmVqjiZa1YED9cZR
dc1U2aiA2g95KGldZYe+8lXzZ5W7YcYU+xLgxiXT3KbS7gvKhoSgK6uBG8qKj+51
tqZQuPnghwFJzpTeKyv2GcNZRvlwxpSXEhZIvxcCQLhIoDaj6ES8OaGYx7k62rBj
XBmJqJOoGYRULXweBmBaOtETo3cUDvFOIHvGkDrfLRzZAwqQtjYkyCbLWLFKxxpp
sj0TcicA81dT3Gr7CmWM
=uph4
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 26 Oct 2011 07:42:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 18:16:58 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.